Dancing with Danger
Hacker Pleads Guilty to Spreading Botnets
by: Jerry Liao
There has been a lot of talks and reports that hackers are hacking into corporate systems for profit purposes. PCs are compromised and are being used to attack other systems for financial gains. But how they do it exactly remains a mystery somehow until the capture of John Schiefer, a computer security consultant for 3G Communications who went by the names Acid and Acidstorm online.
In the first prosecution of its kind in the nation, John Schiefer, a well-known member of the “botnet underground” was charged with using “botnets” – armies of compromised computers – to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications. Schiefer, 26, of Los Angeles, has agreed to plead guilty to four felony counts: accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud.
The criminal information and plea agreement filed in United States District Court in Los Angeles outline a series of schemes in which Schiefer and several associates developed malicious computer code and distributed that code to vulnerable computers. Schiefer and the others used the illicitly installed code to assemble armies of up to 250,000 infected computers, which they used to engage in a variety of identity theft schemes. Schiefer also used the compromised computers to defraud a Dutch advertising company.
In his plea agreement, Schiefer acknowledged installing malicious computer code, or “malware,” that acted as a wiretap on compromised computers. Because the users of those compromised computers were unaware that their computers had been turned into “zombies,” they continued to use their computers to engage in commercial activities. Schiefer used the malware, which he called a “spybot,” to intercept electronic communications being sent over the Internet from those zombie computers to http://www.paypal.com and other websites. Once in possession of those intercepted communications, Schiefer and the others sifted through the data to mine usernames and passwords. With Paypal usernames and passwords,
Schiefer and the others accessed bank accounts to make purchases without the consent of the true owners. Schiefer also acknowledged in the plea agreement that he transferred both the wiretapped communications and the stolen Paypal information to others. It is the first time in the nation that someone has been charged under the federal wiretap statute for conduct related to botnets.
In another scheme, Schiefer installed malware on zombie computers running Microsoft operating systems, causing them to disgorge usernames and passwords from a secure storage area known as the PStore. Schiefer and his co-schemers caused the zombie computers to send that account access information to computers that Schiefer and his co-schemers controlled. Once again, Schiefer located Paypal usernames and passwords among this data and used that authentication information to access victim bank accounts.
Finally, Schiefer acknowledged defrauding an Internet advertising company with his botnets. Schiefer signed up as a consultant with a Dutch Internet advertising company and promised to install the company’s programs on computers only when the owners gave consent. Instead, Schiefer and two co-schemers installed that program on approximately 150,000 computers that were infected with their malware. To avoid detection by the advertising company, Schiefer instructed his associates to moderate the number of installations so it appeared that the installations were legitimate and not the result of a malicious computer program that was propagating itself. Schiefer was ultimately paid more than $19,128.35 by the advertising company.
Schiefer has agreed to make an initial appearance in Los Angeles on November 28 and to be arraigned on December 3. Once he pleads guilty to the four counts, Schiefer will face a statutory maximum sentence of 60 years in federal prison and a fine of $1.75 million. The case was investigated by the Federal Bureau of Investigation.
This is one incident wherein we users should be alarmed but at the same time be vigilant. Companies should really have a security policy in place and security programs installed. Security is more than just products or appliance but it is a process. To achieve a secure environment, people, products and policies should all work together.
The Schiefer case is one clear example that the enemy is not only cunning but is also very smart and very technology literate. This should be a wake-up call to everyone especially to security providers. Make our digital experience more safe and secure. It should not only be your responsibility to protect us users, it should be your commitment.